Events Manager - Version 5.5.7.1

Version Description

  • fixed a minor DOM XSS vulnerability
Download this release

Release Info

Developer netweblogic
Plugin Icon 128x128 Events Manager
Version 5.5.7.1
Comparing to
See all releases

Code changes from version 5.5.6 to 5.5.7.1

Files changed (15) hide show
  1. admin/bookings/em-cancelled.php +1 -1
  2. admin/bookings/em-confirmed.php +1 -1
  3. admin/bookings/em-pending.php +1 -1
  4. admin/bookings/em-person.php +1 -1
  5. admin/bookings/em-rejected.php +1 -1
  6. admin/em-admin.php +2 -2
  7. admin/em-bookings.php +3 -2
  8. admin/em-options.php +2 -2
  9. classes/em-booking.php +1 -1
  10. classes/em-bookings-table.php +1 -1
  11. em-bookings.php +1 -1
  12. em-functions.php +1 -1
  13. em-ical.php +1 -1
  14. events-manager.php +1 -1
  15. readme.txt +8 -2
admin/bookings/em-cancelled.php CHANGED
@@ -36,7 +36,7 @@ function em_bookings_cancelled_table(){
36
  </ul>
37
  <p class="search-box">
38
  <label class="screen-reader-text" for="post-search-input"><?php _e('Search', 'dbem'); ?>:</label>
39
- <input type="text" id="post-search-input" name="em_search" value="<?php echo (!empty($_GET['em_search'])) ? $_GET['em_search']:''; ?>" />
40
  <input type="submit" value="<?php _e('Search', 'dbem'); ?>" class="button" />
41
  </p>
42
  -->
36
  </ul>
37
  <p class="search-box">
38
  <label class="screen-reader-text" for="post-search-input"><?php _e('Search', 'dbem'); ?>:</label>
39
+ <input type="text" id="post-search-input" name="em_search" value="<?php echo (!empty($_GET['em_search'])) ? esc_attr($_GET['em_search']):''; ?>" />
40
  <input type="submit" value="<?php _e('Search', 'dbem'); ?>" class="button" />
41
  </p>
42
  -->
admin/bookings/em-confirmed.php CHANGED
@@ -37,7 +37,7 @@ function em_bookings_confirmed_table(){
37
  </ul>
38
  <p class="search-box">
39
  <label class="screen-reader-text" for="post-search-input"><?php _e('Search', 'dbem'); ?>:</label>
40
- <input type="text" id="post-search-input" name="em_search" value="<?php echo (!empty($_GET['em_search'])) ? $_GET['em_search']:''; ?>" />
41
  <input type="submit" value="<?php _e('Search', 'dbem'); ?>" class="button" />
42
  </p>
43
  -->
37
  </ul>
38
  <p class="search-box">
39
  <label class="screen-reader-text" for="post-search-input"><?php _e('Search', 'dbem'); ?>:</label>
40
+ <input type="text" id="post-search-input" name="em_search" value="<?php echo (!empty($_GET['em_search'])) ? esc_attr($_GET['em_search']):''; ?>" />
41
  <input type="submit" value="<?php _e('Search', 'dbem'); ?>" class="button" />
42
  </p>
43
  -->
admin/bookings/em-pending.php CHANGED
@@ -51,7 +51,7 @@ function em_bookings_pending_table($event_id = false){
51
  </ul>
52
  <p class="search-box">
53
  <label class="screen-reader-text" for="post-search-input"><?php _e('Search', 'dbem'); ?>:</label>
54
- <input type="text" id="post-search-input" name="em_search" value="<?php echo (!empty($_GET['em_search'])) ? $_GET['em_search']:''; ?>" />
55
  <input type="submit" value="<?php _e('Search', 'dbem'); ?>" class="button" />
56
  </p>
57
  -->
51
  </ul>
52
  <p class="search-box">
53
  <label class="screen-reader-text" for="post-search-input"><?php _e('Search', 'dbem'); ?>:</label>
54
+ <input type="text" id="post-search-input" name="em_search" value="<?php echo (!empty($_GET['em_search'])) ? esc_attr($_GET['em_search']):''; ?>" />
55
  <input type="submit" value="<?php _e('Search', 'dbem'); ?>" class="button" />
56
  </p>
57
  -->
admin/bookings/em-person.php CHANGED
@@ -38,7 +38,7 @@ function em_bookings_person_table(){
38
  </ul>
39
  <p class="search-box">
40
  <label class="screen-reader-text" for="post-search-input"><?php _e('Search', 'dbem'); ?>:</label>
41
- <input type="text" id="post-search-input" name="em_search" value="<?php echo (!empty($_GET['em_search'])) ? $_GET['em_search']:''; ?>" />
42
  <input type="submit" value="<?php _e('Search', 'dbem'); ?>" class="button" />
43
  </p>
44
  -->
38
  </ul>
39
  <p class="search-box">
40
  <label class="screen-reader-text" for="post-search-input"><?php _e('Search', 'dbem'); ?>:</label>
41
+ <input type="text" id="post-search-input" name="em_search" value="<?php echo (!empty($_GET['em_search'])) ? esc_attr($_GET['em_search']):''; ?>" />
42
  <input type="submit" value="<?php _e('Search', 'dbem'); ?>" class="button" />
43
  </p>
44
  -->
admin/bookings/em-rejected.php CHANGED
@@ -36,7 +36,7 @@ function em_bookings_rejected_table(){
36
  </ul>
37
  <p class="search-box">
38
  <label class="screen-reader-text" for="post-search-input"><?php _e('Search', 'dbem'); ?>:</label>
39
- <input type="text" id="post-search-input" name="em_search" value="<?php echo (!empty($_GET['em_search'])) ? $_GET['em_search']:''; ?>" />
40
  <input type="submit" value="<?php _e('Search', 'dbem'); ?>" class="button" />
41
  </p>
42
  -->
36
  </ul>
37
  <p class="search-box">
38
  <label class="screen-reader-text" for="post-search-input"><?php _e('Search', 'dbem'); ?>:</label>
39
+ <input type="text" id="post-search-input" name="em_search" value="<?php echo (!empty($_GET['em_search'])) ? esc_attr($_GET['em_search']):''; ?>" />
40
  <input type="submit" value="<?php _e('Search', 'dbem'); ?>" class="button" />
41
  </p>
42
  -->
admin/em-admin.php CHANGED
@@ -209,7 +209,7 @@ function em_admin_warnings() {
209
  }else{
210
  ?>
211
  <div id="message" class="updated">
212
- <p><?php echo sprintf(__('It looks like you have WPML enabled on your site. We advise you also install our extra <a href="%s">Events Manager WPML Connector</a> plugin which helps the two work better together. <a href="%s">Dismiss message</a>','dbem'),'http://wordpress.org/extend/plugins/events-manager-wpml/', add_query_arg(array('disable_em_wpml_warning'=>1))); ?></p>
213
  </div>
214
  <?php
215
  }
@@ -220,7 +220,7 @@ function em_admin_warnings() {
220
  }else{
221
  ?>
222
  <div id="message" class="updated">
223
- <p>We have stopped using TimThumb for thumbnails in Events Manager, <a href="http://wp-events-plugin.com/blog/2014/12/05/bye-timthumb/">please see this post</a> for more information on how this may affect you and what options are available to you. <a href="<?php echo add_query_arg(array('dbem_disable_timthumb'=>1)); ?>">Dismiss</a></p>
224
  </div>
225
  <?php
226
  }
209
  }else{
210
  ?>
211
  <div id="message" class="updated">
212
+ <p><?php echo sprintf(__('It looks like you have WPML enabled on your site. We advise you also install our extra <a href="%s">Events Manager WPML Connector</a> plugin which helps the two work better together. <a href="%s">Dismiss message</a>','dbem'),'http://wordpress.org/extend/plugins/events-manager-wpml/', esc_url(add_query_arg(array('disable_em_wpml_warning'=>1)))); ?></p>
213
  </div>
214
  <?php
215
  }
220
  }else{
221
  ?>
222
  <div id="message" class="updated">
223
+ <p>We have stopped using TimThumb for thumbnails in Events Manager, <a href="http://wp-events-plugin.com/blog/2014/12/05/bye-timthumb/">please see this post</a> for more information on how this may affect you and what options are available to you. <a href="<?php echo esc_url(add_query_arg(array('dbem_disable_timthumb'=>1))); ?>">Dismiss</a></p>
224
  </div>
225
  <?php
226
  }
admin/em-bookings.php CHANGED
@@ -9,7 +9,7 @@ function em_admin_actions_bookings() {
9
  global $wpdb, $EM_Booking, $EM_Event, $EM_Notices;
10
 
11
  if( is_object($EM_Booking) && !empty($_REQUEST['action']) && $EM_Booking->can_manage('manage_bookings','manage_others_bookings') ) {
12
- if( $_REQUEST['action'] == 'bookings_add_note' ){
13
  $EM_Booking->add_note($_REQUEST['booking_note']);
14
  function em_booking_save_notification(){ global $EM_Booking; ?><div class="updated"><p><strong><?php echo $EM_Booking->feedback_message; ?></strong></p></div><?php }
15
  add_action ( 'admin_notices', 'em_booking_save_notification' );
@@ -311,7 +311,7 @@ function em_bookings_single(){
311
  <input type='hidden' name='booking_id' value='<?php echo $EM_Booking->booking_id; ?>'/>
312
  <input type='hidden' name='event_id' value='<?php echo $EM_Event->event_id; ?>'/>
313
  <input type='hidden' name='_wpnonce' value='<?php echo wp_create_nonce('booking_set_status_'.$EM_Booking->booking_id); ?>'/>
314
- <br /><em><?php wp_kses_data(_e('<strong>Notes:</strong> Ticket availability not taken into account when approving new bookings (i.e. you can overbook).','dbem')); ?></em>
315
  </form>
316
  </div>
317
  <form action="" method="post" class="em-booking-form">
@@ -471,6 +471,7 @@ function em_bookings_single(){
471
  <form method="post" action="" style="padding:5px;">
472
  <textarea class="widefat" rows="5" name="booking_note"></textarea>
473
  <input type="hidden" name="action" value="bookings_add_note" />
 
474
  <input type="submit" value="Add Note" />
475
  </form>
476
  </div>
9
  global $wpdb, $EM_Booking, $EM_Event, $EM_Notices;
10
 
11
  if( is_object($EM_Booking) && !empty($_REQUEST['action']) && $EM_Booking->can_manage('manage_bookings','manage_others_bookings') ) {
12
+ if( $_REQUEST['action'] == 'bookings_add_note' && wp_verify_nonce($_REQUEST['_wpnonce'],'bookings_add_note') ){
13
  $EM_Booking->add_note($_REQUEST['booking_note']);
14
  function em_booking_save_notification(){ global $EM_Booking; ?><div class="updated"><p><strong><?php echo $EM_Booking->feedback_message; ?></strong></p></div><?php }
15
  add_action ( 'admin_notices', 'em_booking_save_notification' );
311
  <input type='hidden' name='booking_id' value='<?php echo $EM_Booking->booking_id; ?>'/>
312
  <input type='hidden' name='event_id' value='<?php echo $EM_Event->event_id; ?>'/>
313
  <input type='hidden' name='_wpnonce' value='<?php echo wp_create_nonce('booking_set_status_'.$EM_Booking->booking_id); ?>'/>
314
+ <br /><em><?php echo wp_kses_data(__('<strong>Notes:</strong> Ticket availability not taken into account when approving new bookings (i.e. you can overbook).','dbem')); ?></em>
315
  </form>
316
  </div>
317
  <form action="" method="post" class="em-booking-form">
471
  <form method="post" action="" style="padding:5px;">
472
  <textarea class="widefat" rows="5" name="booking_note"></textarea>
473
  <input type="hidden" name="action" value="bookings_add_note" />
474
+ <input type="hidden" name="_wpnonce" value="<?php echo wp_create_nonce('bookings_add_note'); ?>" />
475
  <input type="submit" value="Add Note" />
476
  </form>
477
  </div>
admin/em-options.php CHANGED
@@ -211,7 +211,7 @@ function em_admin_options_reset_page(){
211
  <p style="color:red; font-weight:bold;"><?php _e('Are you sure you want to reset Events Manager?','dbem')?></p>
212
  <p style="font-weight:bold;"><?php _e('All your settings, including email templates and template formats for Events Manager will be deleted.','dbem')?></p>
213
  <p>
214
- <a href="<?php echo add_query_arg(array('_wpnonce2' => wp_create_nonce('em_reset_'.get_current_user_id().'_confirmed'), 'confirmed'=>1)); ?>" class="button-primary"><?php _e('Reset Events Manager','dbem'); ?></a>
215
  <a href="<?php echo wp_get_referer(); ?>" class="button-secondary"><?php _e('Cancel','dbem'); ?></a>
216
  </p>
217
  </div>
@@ -228,7 +228,7 @@ function em_admin_options_uninstall_page(){
228
  <p style="font-weight:bold;"><?php _e('All your settings and events will be permanently deleted. This cannot be undone.','dbem')?></p>
229
  <p><?php echo sprintf(__('If you just want to deactivate the plugin, <a href="%s">go to your plugins page</a>.','dbem'), wp_nonce_url(admin_url('plugins.php'))); ?></p>
230
  <p>
231
- <a href="<?php echo add_query_arg(array('_wpnonce2' => wp_create_nonce('em_uninstall_'.get_current_user_id().'_confirmed'), 'confirmed'=>1)); ?>" class="button-primary"><?php _e('Uninstall and Deactivate','dbem'); ?></a>
232
  <a href="<?php echo wp_get_referer(); ?>" class="button-secondary"><?php _e('Cancel','dbem'); ?></a>
233
  </p>
234
  </div>
211
  <p style="color:red; font-weight:bold;"><?php _e('Are you sure you want to reset Events Manager?','dbem')?></p>
212
  <p style="font-weight:bold;"><?php _e('All your settings, including email templates and template formats for Events Manager will be deleted.','dbem')?></p>
213
  <p>
214
+ <a href="<?php echo esc_url(add_query_arg(array('_wpnonce2' => wp_create_nonce('em_reset_'.get_current_user_id().'_confirmed'), 'confirmed'=>1))); ?>" class="button-primary"><?php _e('Reset Events Manager','dbem'); ?></a>
215
  <a href="<?php echo wp_get_referer(); ?>" class="button-secondary"><?php _e('Cancel','dbem'); ?></a>
216
  </p>
217
  </div>
228
  <p style="font-weight:bold;"><?php _e('All your settings and events will be permanently deleted. This cannot be undone.','dbem')?></p>
229
  <p><?php echo sprintf(__('If you just want to deactivate the plugin, <a href="%s">go to your plugins page</a>.','dbem'), wp_nonce_url(admin_url('plugins.php'))); ?></p>
230
  <p>
231
+ <a href="<?php echo esc_url(add_query_arg(array('_wpnonce2' => wp_create_nonce('em_uninstall_'.get_current_user_id().'_confirmed'), 'confirmed'=>1))); ?>" class="button-primary"><?php _e('Uninstall and Deactivate','dbem'); ?></a>
232
  <a href="<?php echo wp_get_referer(); ?>" class="button-secondary"><?php _e('Cancel','dbem'); ?></a>
233
  </p>
234
  </div>
classes/em-booking.php CHANGED
@@ -850,7 +850,7 @@ class EM_Booking extends EM_Object{
850
  if( $this->can_manage() ){
851
  $this->get_notes();
852
  $note = array('author'=>get_current_user_id(),'note'=>$note_text,'timestamp'=>current_time('timestamp'));
853
- $this->notes[] = $note;
854
  $this->feedback_message = __('Booking note successfully added.','dbem');
855
  return $wpdb->insert(EM_META_TABLE, array('object_id'=>$this->booking_id, 'meta_key'=>'booking-note', 'meta_value'=> serialize($note)),array('%d','%s','%s'));
856
  }
850
  if( $this->can_manage() ){
851
  $this->get_notes();
852
  $note = array('author'=>get_current_user_id(),'note'=>$note_text,'timestamp'=>current_time('timestamp'));
853
+ $this->notes[] = wp_kses_data($note);
854
  $this->feedback_message = __('Booking note successfully added.','dbem');
855
  return $wpdb->insert(EM_META_TABLE, array('object_id'=>$this->booking_id, 'meta_key'=>'booking-note', 'meta_value'=> serialize($note)),array('%d','%s','%s'));
856
  }
classes/em-bookings-table.php CHANGED
@@ -528,7 +528,7 @@ class EM_Bookings_Table{
528
  if( $csv || ( get_option('dbem_bookings_registration_disable') && $EM_Booking->get_person()->ID == get_option('dbem_bookings_registration_user') ) ){
529
  $cols[] = $EM_Booking->get_person()->get_name();
530
  }else{
531
- $cols[] = '<a href="'.add_query_arg(array('person_id'=>$EM_Booking->person_id, 'event_id'=>null), $EM_Booking->get_event()->get_bookings_url()).'">'. $EM_Booking->person->get_name() .'</a>';
532
  }
533
  }elseif($col == 'first_name'){
534
  $cols[] = esc_html($EM_Booking->get_person()->first_name);
528
  if( $csv || ( get_option('dbem_bookings_registration_disable') && $EM_Booking->get_person()->ID == get_option('dbem_bookings_registration_user') ) ){
529
  $cols[] = $EM_Booking->get_person()->get_name();
530
  }else{
531
+ $cols[] = '<a href="'.esc_url(add_query_arg(array('person_id'=>$EM_Booking->person_id, 'event_id'=>null), $EM_Booking->get_event()->get_bookings_url())).'">'. $EM_Booking->person->get_name() .'</a>';
532
  }
533
  }elseif($col == 'first_name'){
534
  $cols[] = esc_html($EM_Booking->get_person()->first_name);
em-bookings.php CHANGED
@@ -155,7 +155,7 @@ class EM_Bookings_Form_Core extends EM_Object {
155
  </tr>
156
  <?php endif; ?>
157
  <?php do_action('em_booking_form_before_user_details'); ?>
158
- <tr><th scope='row'><?php _e('Comment', 'dbem') ?>:</th><td><textarea name='booking_comment'><?php echo !empty($_POST['booking_comment']) ? $_POST['booking_comment']:'' ?></textarea></td></tr>
159
  <?php do_action('em_booking_form_footer'); ?>
160
  </table>
161
  <div class="em-booking-buttons">
155
  </tr>
156
  <?php endif; ?>
157
  <?php do_action('em_booking_form_before_user_details'); ?>
158
+ <tr><th scope='row'><?php _e('Comment', 'dbem') ?>:</th><td><textarea name='booking_comment'><?php echo !empty($_REQUEST['booking_comment']) ? esc_html($_REQUEST['booking_comment']):'' ?></textarea></td></tr>
159
  <?php do_action('em_booking_form_footer'); ?>
160
  </table>
161
  <div class="em-booking-buttons">
em-functions.php CHANGED
@@ -86,7 +86,7 @@ function em_paginate($link, $total, $limit, $page=1, $data=array()){
86
  */
87
  function em_admin_paginate($total, $limit, $page=1, $vars=false, $base = false, $format = ''){
88
  $return = '<div class="tablenav-pages em-tablenav-pagination">';
89
- $base = !empty($base) ? $base:add_query_arg( 'pno', '%#%' );
90
  $events_nav = paginate_links( array(
91
  'base' => $base,
92
  'format' => $format,
86
  */
87
  function em_admin_paginate($total, $limit, $page=1, $vars=false, $base = false, $format = ''){
88
  $return = '<div class="tablenav-pages em-tablenav-pagination">';
89
+ $base = !empty($base) ? $base:esc_url_raw(add_query_arg( 'pno', '%#%' ));
90
  $events_nav = paginate_links( array(
91
  'base' => $base,
92
  'format' => $format,
em-ical.php CHANGED
@@ -58,7 +58,7 @@
58
  exit();
59
  }else{
60
  //no item exists, so redirect to original URL
61
- $url_to_redirect = preg_replace("/ical\/$/",'', add_query_arg(array('ical'=>null)));
62
  wp_redirect($url_to_redirect, '302');
63
  exit();
64
  }
58
  exit();
59
  }else{
60
  //no item exists, so redirect to original URL
61
+ $url_to_redirect = preg_replace("/ical\/$/",'', esc_url_raw(add_query_arg(array('ical'=>null))));
62
  wp_redirect($url_to_redirect, '302');
63
  exit();
64
  }
events-manager.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Plugin Name: Events Manager
4
- Version: 5.5.6
5
  Plugin URI: http://wp-events-plugin.com
6
  Description: Event registration and booking management for WordPress. Recurring events, locations, google maps, rss, ical, booking registration and more!
7
  Author: Marcus Sykes
1
  <?php
2
  /*
3
  Plugin Name: Events Manager
4
+ Version: 5.5.7.1
5
  Plugin URI: http://wp-events-plugin.com
6
  Description: Event registration and booking management for WordPress. Recurring events, locations, google maps, rss, ical, booking registration and more!
7
  Author: Marcus Sykes
readme.txt CHANGED
@@ -3,8 +3,8 @@ Contributors: netweblogic, nutsmuggler
3
  Donate link: http://wp-events-plugin.com
4
  Tags: events, event, event registration, event calendar, events calendar, event management, paypal, registration, ticket, tickets, ticketing, tickets, theme, widget, locations, maps, booking, attendance, attendee, buddypress, calendar, gigs, payment, payments, sports,
5
  Requires at least: 3.5
6
- Tested up to: 4.2.1
7
- Stable tag: 5.5.6
8
 
9
  Fully featured event registration management including recurring events, locations management, calendar, Google map integration, booking management
10
 
@@ -98,6 +98,12 @@ See our [FAQ](http://wp-events-plugin.com/documentation/faq/) page, which is upd
98
  6. Manage attendees with various booking reports
99
 
100
  == Changelog ==
 
 
 
 
 
 
101
  = 5.5.6 =
102
  * fixed security vulnerability
103
 
3
  Donate link: http://wp-events-plugin.com
4
  Tags: events, event, event registration, event calendar, events calendar, event management, paypal, registration, ticket, tickets, ticketing, tickets, theme, widget, locations, maps, booking, attendance, attendee, buddypress, calendar, gigs, payment, payments, sports,
5
  Requires at least: 3.5
6
+ Tested up to: 4.2.2
7
+ Stable tag: 5.5.7.1
8
 
9
  Fully featured event registration management including recurring events, locations management, calendar, Google map integration, booking management
10
 
98
  6. Manage attendees with various booking reports
99
 
100
  == Changelog ==
101
+ = 5.5.7.1 =
102
+ * fixed a minor DOM XSS vulnerability
103
+
104
+ = 5.5.7 =
105
+ * fixed some reported XSS vulnerabilities
106
+
107
  = 5.5.6 =
108
  * fixed security vulnerability
109